in gnome 46.0, gnome-remote-desktop has a feature where users can connect to a login screen via RDP and log in from there to a user session. This feature does not work when selinux is in enforcing mode. audit2allow gives these errors: allow xdm_t mount_var_run_t:dir watch; allow xdm_t unconfined_service_t:tcp_socket { getattr getopt setopt shutdown }; allow xdm_t unconfined_t:tcp_socket { getattr getopt setopt shutdown }; But I suspect there is more needed than that, because the first order problem is gnome-remote-desktop getting kicked off the system bus when it tries to pass the login screen gnome-remote-desktop instance a file descriptor in a bus method call reply. Reproducible: Always Steps to Reproduce: 1. Install Fedora 40 2. Log in 3. Run gnome-control-center 4. Visit the System panel and the Remote Desktop subpanel 5. Unlock it 6. Give it a username and password 7. Enable the slider 8. Disable firewalld 9: Connect to the machine with eg xfreerdp /u:test /p:test /v:IPADDRESS:3389 10. Notice it disconnects immediately 11. setenforce 0 12. Repeat step 9 13. Notice it works.
I can confirm this issue, setenforce 0 is required to make remote login work. Zdenek, could we please fix this before F40 Final release?
Please collect SELinux denials and attach them to this BZ. # ausearch -m avc -m user_avc -m selinux_err -i -ts boot
$ sudo ausearch -m avc -m user_avc -m selinux_err -i -ts boot ---- type=AVC msg=audit(04/08/2024 03:41:40.281:289) : avc: denied { getopt } for pid=5239 comm=gnome-remote-de laddr=::ffff:192.168.0.137 lport=3389 faddr=::ffff:192.168.0.223 fport=38030 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 ---- type=AVC msg=audit(04/08/2024 03:41:40.281:290) : avc: denied { getattr } for pid=5239 comm=gnome-remote-de laddr=::ffff:192.168.0.137 lport=3389 faddr=::ffff:192.168.0.223 fport=38030 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 ---- type=AVC msg=audit(04/08/2024 03:41:40.281:291) : avc: denied { setopt } for pid=5239 comm=gnome-remote-de laddr=::ffff:192.168.0.137 lport=3389 faddr=::ffff:192.168.0.223 fport=38030 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 ---- type=AVC msg=audit(04/08/2024 03:41:47.440:311) : avc: denied { shutdown } for pid=5239 comm=gnome-remote-de laddr=::ffff:192.168.0.137 lport=3389 faddr=::ffff:192.168.0.223 fport=38030 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
Hello, On my Fedora 40 system with `sudo cat /var/log/audit/audit.log | audit2allow -m local`, I get: ``` module local 1.0; require { type systemd_userdbd_runtime_t; type loadkeys_t; type efivarfs_t; type abrt_handle_event_t; type abrt_dump_oops_t; type systemd_coredump_t; type abrt_t; type kmsg_device_t; type xdm_t; type plymouthd_t; type mount_var_run_t; class capability { dac_override sys_admin }; class dir watch; class file { read watch }; class chr_file { read write }; class process2 nnp_transition; class sock_file write; } #============= abrt_dump_oops_t ============== allow abrt_dump_oops_t systemd_userdbd_runtime_t:sock_file write; #============= abrt_t ============== #!!!! This avc is allowed in the current policy allow abrt_t abrt_handle_event_t:process2 nnp_transition; #============= loadkeys_t ============== #!!!! This avc is allowed in the current policy allow loadkeys_t self:capability dac_override; #============= plymouthd_t ============== #!!!! This avc is allowed in the current policy allow plymouthd_t efivarfs_t:file read; #!!!! This avc is allowed in the current policy allow plymouthd_t kmsg_device_t:chr_file { read write }; #============= systemd_coredump_t ============== allow systemd_coredump_t self:capability sys_admin; #============= xdm_t ============== #!!!! This avc is allowed in the current policy allow xdm_t mount_var_run_t:dir watch; #!!!! This avc is allowed in the current policy allow xdm_t mount_var_run_t:file watch; ``` But after applying this policy, nothing really changes. The service terminates on a connection attempt with: ``` Apr 27 20:13:28 fedora gnome-remote-de[5571]: RDP server started Apr 27 20:13:46 fedora gnome-remote-de[5571]: [RDP] Sending server redirection Apr 27 20:13:46 fedora gnome-remote-desktop-daemon[5571]: [20:13:46:14] [5571:000015e4] [ERROR][com.freerdp.core.transport] - [transport_read_layer]: BIO_read retries exceeded Apr 27 20:13:46 fedora gnome-remote-desktop-daemon[5571]: [20:13:46:15] [5571:000015e4] [ERROR][com.freerdp.core.peer] - [transport_read_layer]: ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] Apr 27 20:13:46 fedora gnome-remote-de[5571]: Unable to check file descriptor, closing connection Apr 27 20:13:46 fedora gnome-remote-de[5571]: RDP server stopped ``` ``` $ sudo ausearch -m avc -m user_avc -m selinux_err -i -ts boot <no matches> ``` Firewall allows rdp: ``` $ sudo firewall-cmd --list-services dhcpv6-client mdns rdp samba-client ssh ```
Capturing relevant AVC denials requires to temporarily disable dontaudit: ``` sudo semodule -D -B; sudo setenforce 0 # ... testing here ... sudo semodule -B; sudo setenforce 1 ``` The result looks like this: ``` > journalctl -b _AUDIT_TYPE_NAME=AVC _AUDIT_FIELD_TCLASS=tcp_socket May 04 21:40:38 fedora audit[757]: AVC avc: denied { read write } for pid=757 comm="dbus-broker" path="socket:[17518]" dev="sockfs" ino=17518 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 May 04 21:40:38 fedora audit[2192]: AVC avc: denied { read write } for pid=2192 comm="gdbus" path="socket:[17518]" dev="sockfs" ino=17518 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 May 04 21:40:38 fedora audit[2192]: AVC avc: denied { getopt } for pid=2192 comm="gnome-remote-de" laddr=::ffff:192.168.101.40 lport=3389 faddr=::ffff:192.168.101.1 fport=57336 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 May 04 21:40:38 fedora audit[2192]: AVC avc: denied { getattr } for pid=2192 comm="gnome-remote-de" laddr=::ffff:192.168.101.40 lport=3389 faddr=::ffff:192.168.101.1 fport=57336 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 May 04 21:40:38 fedora audit[2192]: AVC avc: denied { setopt } for pid=2192 comm="gnome-remote-de" laddr=::ffff:192.168.101.40 lport=3389 faddr=::ffff:192.168.101.1 fport=57336 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 May 04 21:41:01 fedora audit[2192]: AVC avc: denied { shutdown } for pid=2192 comm="gnome-remote-de" laddr=::ffff:192.168.101.40 lport=3389 faddr=::ffff:192.168.101.1 fport=57336 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 ``` The working policy: ``` tee /tmp/grd.te << EOF > /dev/null module grd 1.0; require { type system_dbusd_t; type unconfined_service_t; type xdm_t; class tcp_socket { getattr getopt read setopt shutdown write }; } allow system_dbusd_t unconfined_service_t:tcp_socket { read write }; allow xdm_t unconfined_service_t:tcp_socket { getattr getopt read setopt shutdown write }; EOF checkmodule -M -m -o /tmp/grd.mod /tmp/grd.te semodule_package -o /tmp/grd.pp -m /tmp/grd.mod sudo semodule -i /tmp/grd.pp ```
Hello, Do you know when exactly this issue happens and which process gnome-remote-desktop is communicating with? ps -eo pid,ppid,fname,cmd,context | grep -e CONTEXT -e unconfined_service_t
(In reply to Zdenek Pytela from comment #6) > Hello, > > Do you know when exactly this issue happens and which process > gnome-remote-desktop is communicating with? > > ps -eo pid,ppid,fname,cmd,context | grep -e CONTEXT -e unconfined_service_t In Gnome 46 settings, go to "System -> Remote Desktop -> Remote Login" and enable it. Under the hood, I think this simply configures and starts "gnome-remote-desktop.service" (so using systemctl to stop/start it should re-trigger the error).
Also, I do not know which process it tries to communicate with, but my best guess would be GDM.
(In reply to Zdenek Pytela from comment #6) > ps -eo pid,ppid,fname,cmd,context | grep -e CONTEXT -e unconfined_service_t ``` PID PPID COMMAND CMD CONTEXT 773 1 switcher /usr/libexec/switcheroo-con system_u:system_r:unconfined_service_t:s0 39930 1 gnome-re /usr/libexec/gnome-remote-d system_u:system_r:unconfined_service_t:s0 ```
the system gnome-remote-desktop service communicates with a xdm_t gnome-remote-desktop session service before login and an unconfined gnome-remote-desktop session service after login. it also talks to gdm itself.
After adding the working policy, the RDP started working back again. But when it connects it says the connection is insecure... Can anyone help me? I don't wanna remote into my server if it's insecure.
(In reply to suzuki.gui from comment #11) > After adding the working policy, the RDP started working back again. But > when it connects it says the connection is insecure... > Can anyone help me? I don't wanna remote into my server if it's insecure. Not related to the subject issue. Please consider asking on a forum.
Proposed as a Blocker for 41-final by Fedora user catanzaro using the blocker tracking app because: Proposing as a violation of the basic functionality criterion. Remote login was supposed to be a key new feature in Fedora 40.
Blocker discussion ticket: https://pagure.io/fedora-qa/blocker-review/issue/1609
Hi, could this be prioritized please? It looks like it won't be accepted as a F41 release blocker, but having a major advertised feature of F40 totally nonfunctional with selinux enabled looks real bad for selinux.
I've started to work on this. There's a PR - https://github.com/fedora-selinux/selinux-policy/pull/2263 and copr repository https://copr.fedorainfracloud.org/coprs/plautrba/selinux-policy-bz2271661/ with patched selinux policy. Using the following steps I'm able to use remote desktop login described in https://bugzilla.redhat.com/show_bug.cgi?id=2271661#c0 in enforcing mode 1. disable remote login - I wasn't able to use remote desktop login after reboot when it had been enabled before reboot even in permissive mode. 2. $ sudo dnf copr enable plautrba/selinux-policy-bz2271661 $ sudo dnf update $ sudo reboot Unfortunately I'll be offline next 14 days. But feel free to test, review or improve the code and use it for update.
-3 in https://pagure.io/fedora-qa/blocker-review/issue/1609 , marking rejected. But this *is* an important bug and we would appreciate a fix.
(In reply to Petr Lautrbach from comment #16) > $ sudo dnf copr enable plautrba/selinux-policy-bz2271661 > $ sudo dnf update > $ sudo reboot I tested this and I'm able to log in remotely in enforcing mode, i.e. it seems that everything works OK. Can you please push it?
Rawhide build - https://bodhi.fedoraproject.org/updates/FEDORA-2024-6ed8287518
FEDORA-2024-3ec3dec089 (selinux-policy-41.17-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-3ec3dec089
FEDORA-2024-3ec3dec089 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-3ec3dec089` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-3ec3dec089 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Unfortunately, gnome-remote-desktop module is missing in the build. I'll prepare another update asap https://github.com/fedora-selinux/selinux-policy/pull/2352
Thank you!
FEDORA-2024-c09c252246 (selinux-policy-41.18-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-c09c252246
FEDORA-2024-3ec3dec089 (selinux-policy-41.17-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-c09c252246 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-c09c252246` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-c09c252246 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-c09c252246 (selinux-policy-41.18-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
Not working in Fedora 40, fully updated: selinux-policy.noarch 40.28-1.fc40 @updates selinux-policy-targeted.noarch 40.28-1.fc40 @updates setenforce 0 required: type=AVC msg=audit(10/22/2024 11:28:31.163:257) : avc: denied { getopt } for pid=4661 comm=gnome-remote-de laddr=::ffff:192.168.124.214 lport=3389 faddr=::ffff:192.168.124.1 fport=42592 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 ---- type=AVC msg=audit(10/22/2024 11:28:31.163:258) : avc: denied { getattr } for pid=4661 comm=gnome-remote-de laddr=::ffff:192.168.124.214 lport=3389 faddr=::ffff:192.168.124.1 fport=42592 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 ---- type=AVC msg=audit(10/22/2024 11:28:31.163:259) : avc: denied { setopt } for pid=4661 comm=gnome-remote-de laddr=::ffff:192.168.124.214 lport=3389 faddr=::ffff:192.168.124.1 fport=42592 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1 ---- type=AVC msg=audit(10/22/2024 11:28:34.809:264) : avc: denied { shutdown } for pid=4661 comm=gnome-remote-de laddr=::ffff:192.168.124.214 lport=3389 faddr=::ffff:192.168.124.1 fport=42592 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket permissive=1
*** Bug 2318023 has been marked as a duplicate of this bug. ***